It seems that threat actors are increasingly setting their sights on extracting vast amounts of user data from social media platforms. The cascade of incidents started off last week with a data leak impacting more than half a billion Facebook users and was followed by another incident where personal information belonging to a similar number of LinkedIn users also ended up for sale on a hacking forum. Barely a few days have passed, and Clubhouse, the popular audio-only social media platform, has experienced a sort of incident of its own. According to Cybernews, which broke the latest story, an SQL database containing scraped personal data of 1.3 million Clubhouse users is up for grabs on a hacker forum. The records include user IDs, names, usernames, social media handles, photo URLs, account creation dates, and information about who nominated the user to the app. However, Clubhouse said that the data is public, and anyone can access it through its API. Additionally, most of the information is freely viewable by other users of the app.
In the meantime, some well-regarded security experts have also joined the fray and contend that the incident is nowhere near as grave as portrayed by some media.
Regardless, it’s not a stretch to think that a motivated cybercriminal could use the harvested information in combination with data from other incidents in order to create a comprehensive portrait of potential victims. This could be then used to carry out targeted phishing campaigns and social engineering attacks; in some cases, the data could even be used to carry out identity theft. There are ways for users to mitigate the chances of falling victim to enterprising cybercriminals. First of all, you should be wary of any unsolicited message you may receive from strangers on your linked social media accounts. Use strong and unique passwords as well as turn on multi-factor authentication wherever available, preferably with a hardware token or a mobile app. It’s also worth considering what kind of information you share on a publicly searchable profile since oversharing can have serious consequences. Clubhouse also made headlines in February when it emerged that an unidentified user had found a way to stream audio feeds from the app’s chat rooms to a third-party website. In addition, ESET researchers recently found that threat actors have also been trying to piggyback off the platform’s sudden success by spewing out malware that poses as the (still non-existent) official Android version of Clubhouse and aims to steal users’ login information for various online services.